Find the answer to your Linux question:
Results 1 to 3 of 3
Hi, Appreciate any advice on iptables with ftp connection tracking.The script below seem to work fine but I am not sure what am I missing. Did I comprise any security ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2009
    Posts
    2

    iptables ftp connection tracking


    Hi,

    Appreciate any advice on iptables with ftp connection tracking.The script

    below seem to work fine but I am not sure what am I missing. Did I

    comprise any security issue with iptables with regards to ftp and

    connection tracking? You notice that I have not use state module to

    monitor the connection but still works. Thanks.

    ---snip---

    UNPRIVPORTS="1024:65335"

    #Allow FTP traffic (Control)
    iptables -A INPUT -p tcp --sport $UNPRIVPORTS --dport 21 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 21 --dport $UNPRIVPORTS -j ACCEPT
    #Allow FTP traffic (Data)
    iptables -A INPUT -p tcp --sport $UNPRIVPORTS --dport 20 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 20 --dport $UNPRIVPORTS -j ACCEPT


    ---snip---

    Thanks.

    Dino

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    I would have just tracked ftp connections with 'ip_conntrack_ftp'. Then there is no need to the rules for port 20 as the ftp conntrack would know and allow this connection. As it stands now anyone could still try to establish a connection on port 20.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Jan 2009
    Posts
    2
    Thank you!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •